Many controllers, CFO’s, and SOX Project Management Offices (PMO’s) view Sarbanes-Oxley (SOX) Section 404 compliance as a “pass or fail” exercise. They believe the internal control over financial reporting (ICFR) assessment to be a stationary target or threshold, and once that threshold is surpassed and achieved it is time to focus on more worthwhile initiatives or put out other fires. In reality, SOX Compliance has proven to provide additional benefits to organizations adopting it, such as identification of redundancies in processes, establishing formal governance, and view on risk exposures that may not have been previously identified. Additionally, SOX compliance (and companies’ risk/control environment) will always be dynamic and remain a moving target due to different factors:
- Industry trends,
- Changing PCAOB focus areas,
- Audit partner rotations, or
- External Audit Firm methodology
- Evolving business activities,
- Changes to companies’ internal environment due to IT upgrades and automation, outsourcing, relocations, entering or exiting new markets or products or services,
- Organizational restructuring, or
- M&A activities
There may not be a scenario for which achieving a “pass” requires more attention, focus, and effort than for a company exiting its status as an emerging growth company (EGC) and obtaining auditor attestation of their ICFR for the first time (if applicable). Although the requirements relating to “Management’s Assessment” in accordance with section 404(a) do not differ from those associated with 404(b), the inclusion of auditor attestation for a company exiting EGC status undoubtedly elevates the bar and the ICFR expectations.
Emerging Growth Company Overview
The EGC issuer category was created as part of the JOBS Act, which was passed by Congress and signed into law in April 2012 with the intent of promoting entrepreneurship by easing the regulatory burden on smaller companies accessing public markets. There are a variety of factors which dictate a company’s status as an EGC. The most prevalent of these relate to revenue thresholds and time lapsed since a Company’s IPO: a company may elect to be classified as an EGC if it had total annual gross revenues of less than $1.07 billion during its most recently completed fiscal year and will retain its status until the last day of the fiscal year following the fifth anniversary of the date of the first sale of common equity securities of the issuer under an effective Securities Act registration statement as an EGC. Explore additional requirements relating to the EGC issuer category.
Enhanced ICFR Impact for Companies Exiting Emerging Growth Company Status
EGCs have a significantly reduced SEC compliance and reporting burden as they are exempt from various requirements related to the IPO process, as well as ongoing governance and disclosure requirements. One of the most significant exemptions relates to an independent auditor attestation of management assessment of its ICFR. These exemptions could continue as a “Non-accelerated filer” and a Smaller Reporting Company after the five year mark, if the companies have not met their public float and annual revenue thresholds as published in the latest guidance issued by the SEC in March 2020. Although all public companies are required to attest to the adequacy of their ICFR in their quarterly and annual financial statements, there are often costs and operational burden associated with obtaining an attestation from an auditor (applicable for many Accelerated Filers and all Large Accelerated Filers). Some of these costs, added efforts, and impacts include the following:
- Increased documentation/evidence requirements related to the execution of existing SOX controls,
- More complex audit process including potential to rely on controls that operate effectively,
- Increased audit fees,
- Increased headcount or contractor/consultant fees to enable adequate segregation of duties, manage SOX process, and test SOX controls,
- Audit and “SOX fatigue” for staff
Each of these factors are often amplified in the first year that a company requires an independent ICFR opinion. And even despite the increased spending and effort, it can be challenging for companies to avoid significant deficiencies or reporting a material weakness over ICFR in its financial statements during “year-one”. Common significant deficiencies and material weaknesses reported in “year-one” can be attributed to a few different themes:
- Inadequate documentation for management review controls,
- Lack of accuracy and completeness validation for key reports and spreadsheets (IPE),
- Lack of adequate IT General Controls such as logical access controls and IT Change Management
- Inconsistent or inadequate control evidence,
- Inadequate segregation of duties
The following table provides some specific examples of common control elements that are required under both sections 404(a) and 404(b), but auditors will focus on beginning in “year-one” of an ICFR audit.
Preparing for Auditor Attestation of ICFR
For companies that will exit EGC status and require an ICFR auditor attestation, planning should occur in the years and periods preceding “year-one”. It is critical that incremental steps be taken to ensure that the company’s SOX program can facilitate a smooth and successful ICFR review. The SOX Program Management Office (or equivalent, such as Controller, CFO, or Accounting Manager) should develop a roadmap which identifies key areas of enhancement/development along with timelines for completion/implementation that align with the Company’s exiting of its EGC status. The external auditor should be consulted throughout this process to ensure that the auditor’s expectations and preferences are considered and addressed. Audit Committees should incorporate these initiatives and future considerations for companies exiting EGC status in its purview, focus, and oversight.
The SOX burden for companies which require an auditor attestation of ICFR the first year after exiting EGC status is intensive and unavoidable. It is a “mindset” shift for the organization as the level of rigor, documentation, evidence expectations are significantly greater than before. However, proactive steps in the periods leading up to “year-one” will often bear significant benefits including reducing the necessary SOX-related spend and the inevitable internal frustration associated with the increased requirements. Therefore, companies currently in the third year of their EGC status that meet or are expected to meet the SEC public float and revenue thresholds should initiate their increased control and documentation requirements before “year-one”, while still an EGC, will reduce the likelihood of significant deficiencies and material weakness and make “passing” SOX all the more achievable.
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality finance and accounting consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, and CFO advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skill sets to ensure the project is completed timely and accurately.
Eight Penn Center
1628 JFK Boulevard, Suite 500
Philadelphia, PA 19103
New York Office
530 Seventh Avenue
New York, NY 10018
8310 South Valley Highway
Englewood, CO 80112